Method for controlling access to an encrypted programme

ABSTRACT

This invention relates to an access control method for an encrypted program transmitted by an operator to a plurality of groups of subscribers, each group of subscribers being issued with a group key KG, and each subscriber being able to receive from the operator an operating key KT, enciphered by to the group key KG, for decryption of the transmitted program.  
     The method according to the invention further comprises the following steps:  
     Prior to transmission of the encrypted program,  
     a—linking the enciphered operating key KT to a random value R to generate a secret code;  
     b—transmitting the secret code to subscribers,  
     c—transmitting the random value R to subscribers for calculation of the operating key KT, when the encrypted program is transmitted.

TECHNICAL FIELD

[0001] This invention relates to an access control method for anencrypted program transmitted by an operator to a plurality of groups ofsubscribers, each group of subscribers having a group key KG, and eachsubscriber receiving from the operator, when the encrypted program istransmitted, an operating key KT enciphered by the group key KG, fordecryption of the transmitted program.

PRIOR ART

[0002] Using the DVB standard, transmitted programs are encrypted usinga control word CW that is changed at the end of the period for which theprogram is transmitted. A new control word for the same program or for anew program is transmitted to subscribers with the ECM and EMM accesscontrol messages (respectively “Entitlement Control Message” and“Entitlement Management Message”).

[0003] ECMs have three fields, the first field contains the accessparameters that define the conditions for access to the encryptedprogram, such as for example parental control or geographic restrictionof reception for the transmitted program, the second field contains thecontrol word CW enciphered by the operating key KT and the third fieldcontains the integrity control parameters for the transmitted data.

[0004] EMMs generally have four fields, the first field is an addressfield for selecting an individual decoder, the second field contains theuser's access authorisation, the third field contains the operating keyKT enciphered by the group key KG, and the fourth field contains theintegrity control parameters for the transmitted data.

[0005] ECMs are transmitted with the encrypted program whilst EMMs areusually transmitted prior to the transmission date for such programs.

[0006] For a group of subscribers g, the result of enciphering theoperating key KT by the group key KG is issued in an enciphered EMM,EMM_(g)=F (KT, KG) where F is an enciphering algorithm. When a decoderreceives this EMM, it checks whether the operating key KT has alreadybeen stored, in a smart card for example. If not, the key is decipheredusing the inverse function F⁻¹ then stored in the smart card. When theencrypted program is transmitted the key KT is used by the encipheringalgorithm to decipher the control word CW which was used to encrypt thedata for the transmitted program.

[0007]FIG. 1 shows a diagram of an example of a system for receivingencrypted programs transmitted by an operator 1. To receive theseprograms a subscriber needs a receiver 2, a decoder 4 and a smart card 6which must be inserted in the decoder 4 and on which is stored the groupkey KG common to a group of cards N, N being 256, for example. A modem 8connected to the subscriber's telephone line provides a feedback channelbetween the subscriber and the operator 1. An aerial 12 receives thesignals transmitted by the operator 1 and transmits them to the decoder4.

[0008]FIG. 2 shows a diagram of how the system in FIG. 1 works.

[0009] The operator 1 sends an operating key KT enciphered using thegroup key KG for each group to a transmission system 14 (arrow 15). Thetransmission system 14 sends the whole EMM_(i)=F (KG_(i),KT) to eachdecoder 4 (arrows 17). Each decoder 4 transfers the EMM_(g) for thegroup to the smart card 6 (arrows 18) of a subscriber in group g. Whenit receives the EMM_(g), the smart card 6 deciphers the key KT using thegroup key KG and stores the deciphered key. On the date on which anencrypted program is to be transmitted, the operator transmits theECM_(i)s in a cyclical fashion, with the encrypted program, to thedecoders 4. When it receives the ECM_(i)s, the decoder 4 selects theECM_(i)s for the transmitted key KT and sends them to the smart card.

[0010] One weakness of this method stems from the fact that theoperating key KT is common to all users. As a result, it is possible fora user, who succeeds in finding out his group key KG, to fraudulentlycalculate the operating key KT and to transmit it.

[0011] The purpose of this invention is to identify the origin of afraudulent transmission of an operating key KT.

[0012] Another purpose of this invention is to make it impossible for apotential defrauder to predict the date on which an operating key KTwill be used.

[0013] In an first embodiment of the invention, the method comprises thefollowing steps:

[0014] Prior to transmission of the encrypted program,

[0015] a—linking the enciphered operating key KT to a random value R togenerate a secret code;

[0016] b—transmitting this secret code to subscribers, and

[0017] c—transmitting the random value R to subscribers for calculationof the operating key KT, only when the encrypted program is transmitted.

[0018] According to the invention, the secret code is calculated using areversible arithmetic function.

[0019] According to the invention, the reversible arithmetic function isthe logical operation XOR.

[0020] According to the invention, the secret code calculated is storedin a smart card.

[0021] In a second embodiment of the invention, where each subscribercan receive a whole number m of operating keys KT_(i) from the operator,for decryption of a transmitted program, the method comprises thefollowing steps:

[0022] Prior to transmission of the encrypted program,

[0023] a—linking each enciphered operating key KT_(i) to a random valueR_(i) to generate a whole number r of distinct secret codes;

[0024] b—transmitting the secret codes generated to each subscriber; and

[0025] c—transmitting the random value R_(i) to subscribers forcalculation of an operating key KT_(i) among the m KT_(i) keys,only whenthe encrypted program is transmitted, and for a period chosen by theoperator,

[0026] d—transmitting a new random value R_(i) to subscribers to changethe operating key KT_(i).

[0027] According to one characteristic of this embodiment, the randomvalues R_(i) are transmitted successively to subscribers on dates thatcannot be predicted.

[0028] According to the invention, each secret code is calculated usinga reversible arithmetic function.

[0029] According to the invention, the secret codes calculated arestored in a smart card.

[0030] Thanks to this invention, if a defrauder wishes to publiclytransmit the key KT prior to transmission of the program requiringdecryption, he must transmit the value of the EMM_(g), which will enablethe operator to identify the group to which the defrauder belongs.

BRIEF DESCRIPTION OF THE FIGURES

[0031] Other characteristics and advantages of the invention will beevident from the description that follows, by way of a non-limitativeexample, with reference to the appended figures in which:

[0032]FIG. 1 described above shows a known example of a system forreceiving encrypted programs;

[0033]FIG. 2 described above shows an operation diagram of the systemshown in FIG. 1;

[0034]FIG. 3 shows a diagram of an initial embodiment of the inventionmethod;

[0035]FIG. 4 shows a diagram of a second embodiment of the inventionmethod.

DETAILED DESCRIPTION OF THE MODE FOR IMPLEMENTATION OF THE INVENTION

[0036] In the following description, identical numerals are used toidentify the components and steps that are common to the prior art andto the invention method.

[0037] With reference to FIG. 3, an operator 1 links a random value R toan operating key KT and sends the resulting secret code to atransmission system 14 (arrow 15). More preferably, the operating key KTenciphered using the group key KG is combined using the logicaloperation XOR, with the secret random value R. The code generated canonly be deciphered if the random value R is revealed. The transmissionsystem 14 then sends to each decoder 4 (arrows 17) for a group i, wherei designates a list of a group of subscribers from n distinct groups, anEMM calculated using the formula:

EMM _(i) =F(KG _(i) ,KT) ⊕ R.

[0038] Each decoder 4 transfers the EMM_(i) for group i to the smartcard 6 (arrow 18). On the date on which the encrypted program is to betransmitted, the operator transmits the ECMs in a cyclical fashion, withthis program, to the decoders 4. These ECMs contain the control word CWused to encrypt the data for the transmitted program. The decoder 4selects the ECM_(i)s for the key KT and sends them to the smart card 6,which stores the secret code generated. So long as the operator has nottransmitted the random value R, the smart card cannot decipher thesecret code to reveal the operating key KT. This enables the operator totransmit the random value R as late as possible, i.e. only when theoperating key KT needs to be used to decipher the control word CW. Assoon as the key KT is used, the operator transmits the following valueto the decoders 4:

ECM=R ⊕ F(EMMg ⊕ R,KG).

[0039] The algorithm stored by the smart card can then calculate thevalue for the operating key KT by performing the following operation:

KT=F ⁻¹(EMM _(g) ⊕ R,KG);

[0040] The control word can then be revealed using the followingformula:

CW=F ⁻¹(ECM,KT).

[0041] If a defrauder wishes to publicly transmit the key KT prior tothe start of transmission of the encrypted program, he must transmit thevalue EMM_(g), which is linked to the group key KG. The operator will bein a position to identify the group to which the defrauder belongs andto withdraw this group's access rights.

[0042] This embodiment therefore dissuades the defrauder fromtransmitting the operating keys KT when he receives the EMMs.

[0043] Nevertheless, when the value R is revealed by the operator, thevalue for the operating key KT can be recalculated and publiclytransmitted.

[0044] In addition, to prevent this transmission, or at least to make itcomplicated, according to a second embodiment of the invention shown inFIG. 4, prior to transmission of the encrypted program, the operator 1sends a whole number m of operating keys KT₁,KT₂ . . . KT_(i), KT_(m),to the transmission system 14 (arrow 15). Each key KT_(i) is encipheredusing the group key KG for the group i and is linked, using the logicaloperation XOR, to a secret random value R_(i), known only to theoperator, in such a way as to generate a secret code that can only bedeciphered if the number R_(i) is revealed.

[0045] The transmission system 14 transmits all the EMMs calculatedusing the following formula to each decoder 4 (arrows 17):

EMM _(i) F(KG _(i) ,KT ₁) ⊕ R ₁ ∥ F(KG _(i) ,KT ₂) ⊕ R ₂ ∥ . . . F(KG_(i) ,KT _(i)) ⊕ R _(i) ∥ . . . . F(KG _(i) ,KT _(m)) ⊕ R _(m) ∥.

[0046] Where the symbol ∥ represents the concatenation operation.

[0047] The decoder 4 for the group i transfers the EMM_(i) for the groupto the smart card 6 (arrow 18). On the date on which an encryptedprogram is to be transmitted, the operator transmits the ECMs in acyclical fashion, with the encrypted program, to the decoders 4. TheseECMs contain the control word CW used to encrypt the data for thetransmitted program. The decoder 4 selects the ECM_(i)s that match thekey KT_(i) and sends them to the smart card 6, which stores the secretcode generated. So long as the operator has not transmitted the randomvalue R_(i), the smart card cannot decipher the secret code to revealthe operating key KT_(i). Each key KT_(i) remains stored in the smartcard 6.

[0048] The values R_(i) are transmitted via the ECMs, in accordance withthe key used to encipher the control words.

[0049] As soon as the key KT_(i) is used, the operator transmits thefollowing ECM to the decoder 4:

ECM=R _(i) ∥ F(CW, KT _(i))

[0050] This embodiment enables the different operating keys KT_(i) to beallocated a period of validity that is sufficiently short andunpredictable to make fraudulent transmission of a key KT_(i)complicated once the number R_(i) has been revealed.

[0051] Thanks to this second embodiment, the operator can change the keyKT_(i) in an unpredictable manner depending on the desirability of theprograms transmitted.

1. Access control method for an encrypted program transmitted by anoperator (1) to a plurality of groups of subscribers, each group ofsubscribers having a group key KG, and each subscriber being able toreceive from the operator (1) an operating key KT, enciphered by thegroup key KG for decryption of the transmitted program, a method furthercharacterised by the inclusion of the following steps: Prior totransmission of the encrypted program, a—linking the encipheredoperating key KT to a random value R to generate a secret code;b—transmitting the secret code to subscribers, and c—transmitting therandom value R to subscribers for calculation of the operating key KT,only when the encrypted program is transmitted.
 2. Method according toclaim 1, characterised by the fact that the secret code is calculatedusing a reversible arithmetic function.
 3. Method according to claim 2,characterised by the fact that the reversible arithmetic function is thelogical operation XOR.
 4. Method according to claim 1, characterised bythe fact that the secret code generated is stored in a smart card. 5.Access control method for an encrypted program transmitted by anoperator (1) to a number of groups of subscribers, each group ofsubscribers being issued with a group key KG, and each subscriber beingable to receive from the operator (1) a whole number m of operating keysKT_(i), for decryption of the program transmitted, a methodcharacterised by the inclusion of the following steps: Prior totransmission of the encrypted program, a—linking each encipheredoperating key KT_(i) to a random value R_(i) to generate a whole numberm of distinct secret codes; b—transmitting the secret codes generated toeach subscriber; c—transmitting the random value R_(i) to subscribersfor calculation of an operating key KT_(i) from the m keys KT_(i) onlywhen the encrypted program is transmitted, and for the period duringwhich the encrypted program is being transmitted, d—transmitting a newrandom value R_(i) to subscribers to change the operating key KT_(i). 6.Method according to claim 5, characterised by the fact that the randomvalues R_(i) are successively transmitted to subscribers on dates thatcannot be predicted.
 7. Method according to claim 6, characterised bythe fact that each secret code is calculated using a reversiblearithmetic function.
 8. Method according to claim 7, characterised bythe fact that the reversible arithmetic function is the logicaloperation XOR.
 9. Method according to claim 6, characterised by the factthat so long as a key KT_(i) is not used, the random value R_(i) is nottransmitted.
 10. Method according to claim 7, characterised by the factthat each secret code is stored in a smart card (6).